Guidelines 02/2018 on Derogations of Article 49 GDPR
SECTION 1 GENERAL
This document seeks to provide guidance as to the application of Article 49 of the General Data Protection Regulation (GDPR) on derogations in the context of transfers of personal data to third countries.
The document builds on the previous work done by the Working Party of EU Data Protection Authorities established under Article 29 of the Data Protection Directive (the WP29) which is taken over by the European Data Protection Board (EDPB) regarding central questions raised by the application of derogations in the context of transfers of personal data to third countries. This document will be reviewed and if necessary updated, based on the practical experience gained through the application of the GDPR.
When applying Article 49 one must bear in mind that according to Article 44 the data exporter transferring personal data to third countries or international organizations must also meet the conditions of the other provisions of the GDPR. Each processing activity must comply with the relevant data protection provisions, in particular with Articles 5 and 6. Hence, a two-steptest must be applied: first, a legal basis must apply to the data processing as such together with all relevant provisionsof the GDPR; and as a second step, the provisions of Chapter V must be complied with.
Article 49 (1) states that in the absence of an adequacy decision or of appropriate safeguards, a transfer or a set of transfers of personal data to a third country or an international organization shall take place only under certain conditions. At the same time, Article 44 requires all provisions in Chapter V to be applied in such a way as to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined. This also implies that recourse to the derogations of Article 49 should never lead to a situation where fundamental rights might be breached.
The WP29, as predecessor of the EDPB, has long advocated as best practice a layered approach to transfers of considering first whether the third country provides an adequate level of protection and ensuring that the exported data will be safeguarded in the third country. If the level of protection is not adequate in light of all the circumstances, the data exporter should consider providing adequate safeguards. Hence, data exporters should first endeavor possibilities to frame the transfer with one of the mechanisms included in Articles 45 and 46 GDPR, and only in their absence use the derogations provided in Article 49 (1).
Therefore, derogations under Article 49 are exemptions from the general principle that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards have been adduced and the data subjects enjoy enforceable and effective rights in order to continue to benefit from their fundamental rights and safeguards. Due to this fact and in accordance with the principles inherent in European law, the derogations must be interpreted restrictively so that the exception does not become the rule. This is also supported by the wording of the title of Article 49 which states that derogations are to be used for specific situations (“Derogations for specific situations”).
When considering transferring personal data to third countries or international organizations, data exporters should therefore favour solutions that provide data subjects with a guarantee that they will continue to benefit from the fundamental rights and safeguards to which they are entitled as regards processing of their data once this data has been transferred. As derogations do not provide adequate protectionor appropriate safeguards for the personal data transferred and as transfers based on a derogation are not required to have any kind of prior authorisation from the supervisory authorities, transferring personal data to third countries on the basis of derogations leads to increased risks for the rights and freedoms of the data subjects concerned.
Data exporters should also be aware that, in the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly limit transfers of specific categories of personal data to a third country or an international organization (Article 49 (5)).
Occasional and not repetitive transfers
The EDPB notes that the term “occasional” is used in recital 111 and the term “not repetitive” is used in the “compelling legitimate interests” derogation under Article 49 par. 1 §2. These terms indicate that such transfers may happen more than once, but not regularly, and would occur outside the regular course of actions, for example, under random, unknown circumstances and within arbitrary time intervals. For example, a data transfer that occurs regularly within a stable relationship between the data exporter and a certain data importer can basically be deemed as systematic and repeated and can therefore not be considered occasional or not-repetitive. Besides, a transfer will for example generally be considered to be non-occasional or repetitive when the data importer is granted direct access to a database (e.g. via an interface to an IT-application) on a general basis.
Recital 111 differentiates among the derogations by expressly stating that the “contract” and the “legal claims” derogations (Article 49 (1) subpar. 1 (b), (c) and (e)) shall be limited to “occasional” transfers, while such limitation is absent from the “explicit consent derogation”, the “important reasons of public interest derogation”, the “vital interests derogation” and the “register derogation” pursuant to Article 49 (1) subpar. 1 (a), (d), (f) and, respectively, (g).
Nonetheless, it has to be highlighted that even those derogations which are not expressly limited to “occasional” or “not repetitive” transfers have to be interpreted in a way which does not contradict the very nature of the derogations as being exceptions from the rule that personal data may not be transferred to a third country unless the country provides for an adequate level of data protection or, alternatively, appropriate safeguards are put in place.
One overarching condition for the use of several derogations is that the data transfer has to be “necessary” for a certain purpose. The necessity test should be applied to assess the possible use of the derogations of Articles 49 (1) (b), (c), (d), (e) and (f). This test requires an evaluation by the data exporter in the EU of whether a transfer of personal data canbe considered necessary for the specific purpose of the derogation to be used. For more information on the specific application of the necessity test in each of the concerned derogations, please refer to the relevant sections below.
Article 48 in relation to derogations
The GDPR introduces a new provision in Article 48 that needs to be taken into account when considering transfers of personal data. Article 48 and the corresponding recital 115 provide that decisions from third country authorities, courts or tribunals are not in themselves legitimate grounds for data transfers to third countries. Therefore, a transfer in response to a decision from third country authorities is in any case only lawful, if in line with the conditions set out in Chapter V.
In situations where there is an international agreement, such as a mutuallegalassistancetreaty (MLAT), EU companies should generally refuse direct requests and refer the requesting third country authority to existing MLAT or agreement.
This understanding also closely follows Article 44, which sets an overarching principle applying to all provisions of Chapter V, in order to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined.